Seam EJB3 authorization
desanocra Dec 30, 2007 7:22 PMi have a application with java webstart frontend which uses security restriction with @RolesAlowed annotation. Now i want to add a seam frontend. My Problem is that i can login but cant call any restricted EJB methods.
The Application stores the user passwords encrypted. This is the reason why the Java-Swing-Webstart Frontend store uses this piece of code to login:
public LoginContext createLoginContext(final String inUsername, char[] inPassword, Subject inSubject) { try { mIsAdmin = false; mUsername=inUsername; mPassword= new char[inPassword.length]; System.arraycopy(inPassword, 0, mPassword, 0, inPassword.length); mLoginContext = new LoginContext("myrealm", inSubject, new CallbackHandler(){ public void handle(Callback[] callbacks) throws IOException, UnsupportedCallbackException { for(int i = 0; i < callbacks.length; i++) { if (callbacks instanceof NameCallback) { NameCallback nameCallback = (NameCallback)callbacks; nameCallback.setName(inUsername); } else if (callbacks instanceof PasswordCallback) { PasswordCallback pwCallback = (PasswordCallback)callbacks; String aEncPwd = SecurityUtils.getCryptedPwd(mUsername, mPassword); for(int j=0; j < mPassword.length; j++) { mPassword[j] = ' '; } pwCallback.setPassword(aEncPwd.toCharArray()); } else throw new UnsupportedCallbackException(callbacks); } } } ); } catch (LoginException e) { getLogger().log(LogLevel.ERROR, CommonResources.getMsg("auth.LoginModule.login.context.creation.failed"), e); return null; } return mLoginContext; } public User getUser(final String inUsername) { try { String aAuthCtrlRemote = CommonResources.getBeanJndiNames().getString("controller.authentication"); getLogger().log(LogLevel.DEBUG, "Using AuthenticationController Bean: {0}", aAuthCtrlRemote); AuthenticationController aBean = (AuthenticationController) CommonFactory.getInitialContext().lookup(aAuthCtrlRemote); if(inUsername != null) { try { User aUser = aBean.qryUser(inUsername); return aUser; }catch(javax.ejb.EJBAccessException e) { getLogger().log(LogLevel.ERROR, "Error: {0}", e); } } } catch (Exception e) { getLogger().log(LogLevel.ERROR, "Error: {0}", e); } return null; } public boolean login(final String inUsername, char[] inPassword) { if(mLoginContext != null) { logout(); } LoginContext aLoginContext = createLoginContext(inUsername, inPassword, new Subject()); // Durchführung des Logins try { if(aLoginContext != null) { aLoginContext.login(); } } catch (LoginException e) { getLogger().log(LogLevel.DEBUG, CommonResources.getMsg("view.LoginView.auth.failed"), e); return false; } try { String aClientSessionCtrl = CommonResources.getBeanJndiNames().getString("controller.clientsession"); getLogger().log(LogLevel.DEBUG, "Using ClientSessionController Bean: {0}", aClientSessionCtrl); ClientSessionController bean = (ClientSessionController) CommonFactory.getInitialContext().lookup(aClientSessionCtrl); //TODO locale session bean.startLocaleSession("a"); User aUser = getUser(mUsername); if(aUser != null) { mIsAdmin = aUser.getRole().isAdmin(); } else { mIsAdmin = false; } } catch (RuntimeException e) { getLogger().log(LogLevel.ERROR, "{0}", e); return false; } catch (NamingException e) { getLogger().log(LogLevel.ERROR, "{0}", e); return false; } fireEvent(true); return true; }
After execution the Java-Swing-Webstart client can call any restircted EJB method for the role of the logged-in user. For Example
String aClientSessionCtrl = CommonResources.getBeanJndiNames().getString("controller.clientsession"); getLogger().log(LogLevel.DEBUG, "Using ClientSessionController Bean: {0}", aClientSessionCtrl); ClientSessionController bean = (ClientSessionController) CommonFactory.getInitialContext().lookup(aClientSessionCtrl); bean.startLocaleSession("a");
I use the same mechanism for seam. I wrote an Authenticator.
@Stateful @Name("authenticator") @Local( { SeamAuthenticator.class }) public class SeamAuthenticatorImpl implements SeamAuthenticator { public SeamAuthenticatorImpl() { } @SuppressWarnings("unchecked") @PermitAll public boolean login() { Identity aIdentity = Identity.instance(); String aUsername = aIdentity.getUsername(); String aPassword = aIdentity.getPassword(); Identity.setSecurityEnabled(true); if (aPassword == null) { aPassword = "admin"; aIdentity.setPassword(aPassword); } mCtrl = ClientFactory.getClientLoginCtrl(); LoginContext aLoginContext = mCtrl.createLoginContext(aUsername, aPassword.toCharArray(), aIdentity.getSubject()); if(aLoginContext != null) { try { aIdentity.authenticate(aLoginContext); try{ String aClientSessionCtrl = CommonResources.getBeanJndiNames().getString("controller.clientsession"); getLogger().log(LogLevel.DEBUG, "Using ClientSessionController Bean: {0}", aClientSessionCtrl); ClientSessionController bean = (ClientSessionController) CommonFactory.getInitialContext().lookup(aClientSessionCtrl); bean.startLocaleSession("a"); } }catch(NamingException e) { getLogger().log(LogLevel.ERROR, "{0}", e); e.printStackTrace(); } return aIdentity.isLoggedIn(); } catch (LoginException e) { getLogger().log(LogLevel.ERROR, "{0}", e); e.printStackTrace(); return false; } } return false; } @Destroy @Remove public void destroy() {} /* * with the @Out annotation this bean can change the value of the <code>user</code> * context variable and make the new instance available to other session * beans and JSF pages */ @SuppressWarnings("unused") @Out(required = false, scope = SESSION) private User user; private ClientLoginController mCtrl; static Logger getLogger() { return CommonFactory.getLogManager().getLogger( SeamAuthenticatorImpl.class.getName()); } }
The authentication works , Identity.isLoggedIn() == true, but the call bean.startLocaleSession("a"); fails. with
23:42:40,468 ERROR [ClientLoginCtrlImpl] Error: javax.ejb.EJBAccessException: Authorization failure|utab javax.ejb.EJBAccessException: Authorization failure at org.jboss.ejb3.security.RoleBasedAuthorizationInterceptor.invoke(RoleBasedAuthorizationInterceptor.java:120) at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:101) at org.jboss.aspects.security.AuthenticationInterceptor.invoke(AuthenticationInterceptor.java:77) at org.jboss.ejb3.security.Ejb3AuthenticationInterceptor.invoke(Ejb3AuthenticationInterceptor.java:110) at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:101) at org.jboss.ejb3.ENCPropagationInterceptor.invoke(ENCPropagationInterceptor.java:46) at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:101) at org.jboss.ejb3.asynchronous.AsynchronousInterceptor.invoke(AsynchronousInterceptor.java:106) at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:101) at org.jboss.ejb3.stateless.StatelessContainer.localInvoke(StatelessContainer.java:240) at org.jboss.ejb3.stateless.StatelessContainer.localInvoke(StatelessContainer.java:210) at org.jboss.ejb3.stateless.StatelessLocalProxy.invoke(StatelessLocalProxy.java:84) at $Proxy343.qryUser(Unknown Source) at impl.x.x.common.client.ctrl.ClientLoginCtrlImpl.getUser(ClientLoginCtrlImpl.java:89) at impl.x.x.server.ctrl.SeamAuthenticatorImpl.login(SeamAuthenticatorImpl.java:67) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25) at java.lang.reflect.Method.invoke(Method.java:585) at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:112) at org.jboss.ejb3.interceptor.InvocationContextImpl.proceed(InvocationContextImpl.java:166) at org.jboss.seam.intercept.EJBInvocationContext.proceed(EJBInvocationContext.java:44) at org.jboss.seam.intercept.SeamInvocationContext.proceed(SeamInvocationContext.java:56) at org.jboss.seam.core.BijectionInterceptor.aroundInvoke(BijectionInterceptor.java:46) at org.jboss.seam.intercept.SeamInvocationContext.proceed(SeamInvocationContext.java:68) at org.jboss.seam.persistence.ManagedEntityIdentityInterceptor.aroundInvoke(ManagedEntityIdentityInterceptor.java:48) at org.jboss.seam.intercept.SeamInvocationContext.proceed(SeamInvocationContext.java:68) at org.jboss.seam.transaction.RollbackInterceptor.aroundInvoke(RollbackInterceptor.java:31) at org.jboss.seam.intercept.SeamInvocationContext.proceed(SeamInvocationContext.java:68) at org.jboss.seam.core.MethodContextInterceptor.aroundInvoke(MethodContextInterceptor.java:42) at org.jboss.seam.intercept.SeamInvocationContext.proceed(SeamInvocationContext.java:68) at org.jboss.seam.persistence.EntityManagerProxyInterceptor.aroundInvoke(EntityManagerProxyInterceptor.java:26) at org.jboss.seam.intercept.SeamInvocationContext.proceed(SeamInvocationContext.java:68) at org.jboss.seam.persistence.HibernateSessionProxyInterceptor.aroundInvoke(HibernateSessionProxyInterceptor.java:27) at org.jboss.seam.intercept.SeamInvocationContext.proceed(SeamInvocationContext.java:68) at org.jboss.seam.intercept.RootInterceptor.invoke(RootInterceptor.java:107) at org.jboss.seam.intercept.SessionBeanInterceptor.aroundInvoke(SessionBeanInterceptor.java:50) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25) at java.lang.reflect.Method.invoke(Method.java:585) at org.jboss.ejb3.interceptor.InvocationContextImpl.proceed(InvocationContextImpl.java:118) at org.jboss.ejb3.interceptor.EJB3InterceptorsInterceptor.invoke(EJB3InterceptorsInterceptor.java:63) at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:101) at org.jboss.ejb3.entity.ExtendedPersistenceContextPropagationInterceptor.invoke(ExtendedPersistenceContextPropagationInterceptor at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:101) at org.jboss.ejb3.entity.TransactionScopedEntityManagerInterceptor.invoke(TransactionScopedEntityManagerInterceptor.java:54) at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:101) at org.jboss.ejb3.AllowedOperationsInterceptor.invoke(AllowedOperationsInterceptor.java:47) at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:101) at org.jboss.aspects.tx.TxPolicy.invokeInCallerTx(TxPolicy.java:126) at org.jboss.aspects.tx.TxInterceptor$Required.invoke(TxInterceptor.java:195) at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:101) at org.jboss.aspects.tx.TxPropagationInterceptor.invoke(TxPropagationInterceptor.java:95) at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:101) at org.jboss.ejb3.stateful.StatefulInstanceInterceptor.invoke(StatefulInstanceInterceptor.java:83) at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:101) at org.jboss.aspects.security.AuthenticationInterceptor.invoke(AuthenticationInterceptor.java:77) at org.jboss.ejb3.security.Ejb3AuthenticationInterceptor.invoke(Ejb3AuthenticationInterceptor.java:110) at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:101) at org.jboss.ejb3.ENCPropagationInterceptor.invoke(ENCPropagationInterceptor.java:46) at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:101) at org.jboss.ejb3.asynchronous.AsynchronousInterceptor.invoke(AsynchronousInterceptor.java:106) at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:101) at org.jboss.ejb3.stateful.StatefulContainer.localInvoke(StatefulContainer.java:206) at org.jboss.ejb3.stateful.StatefulLocalProxy.invoke(StatefulLocalProxy.java:119) at $Proxy322.login(Unknown Source) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25) at java.lang.reflect.Method.invoke(Method.java:585) at org.jboss.seam.util.Reflections.invoke(Reflections.java:21) at org.jboss.seam.intercept.RootInvocationContext.proceed(RootInvocationContext.java:31) at org.jboss.seam.intercept.ClientSideInterceptor$1.proceed(ClientSideInterceptor.java:76) at org.jboss.seam.intercept.SeamInvocationContext.proceed(SeamInvocationContext.java:56) at org.jboss.seam.ejb.RemoveInterceptor.aroundInvoke(RemoveInterceptor.java:41) at org.jboss.seam.intercept.SeamInvocationContext.proceed(SeamInvocationContext.java:68) at org.jboss.seam.intercept.RootInterceptor.invoke(RootInterceptor.java:107) at org.jboss.seam.intercept.ClientSideInterceptor.invoke(ClientSideInterceptor.java:54) at org.javassist.tmp.java.lang.Object_$$_javassist_2.login(Object_$$_javassist_2.java) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25) at java.lang.reflect.Method.invoke(Method.java:585) at org.jboss.el.util.ReflectionUtil.invokeMethod(ReflectionUtil.java:329) at org.jboss.el.util.ReflectionUtil.invokeMethod(ReflectionUtil.java:342) at org.jboss.el.parser.AstPropertySuffix.invoke(AstPropertySuffix.java:58) at org.jboss.el.parser.AstValue.invoke(AstValue.java:96) at org.jboss.el.MethodExpressionImpl.invoke(MethodExpressionImpl.java:276) at org.jboss.seam.core.Expressions$2.invoke(Expressions.java:174) at org.jboss.seam.security.jaas.SeamLoginModule.login(SeamLoginModule.java:108) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25) at java.lang.reflect.Method.invoke(Method.java:585) at javax.security.auth.login.LoginContext.invoke(LoginContext.java:769) at javax.security.auth.login.LoginContext.access$000(LoginContext.java:186) at javax.security.auth.login.LoginContext$5.run(LoginContext.java:706) at java.security.AccessController.doPrivileged(Native Method) at javax.security.auth.login.LoginContext.invokeCreatorPriv(LoginContext.java:703) at javax.security.auth.login.LoginContext.login(LoginContext.java:575) at org.jboss.seam.security.Identity.authenticate(Identity.java:259) at org.jboss.seam.security.Identity.authenticate(Identity.java:248) at org.jboss.seam.security.Identity.login(Identity.java:205) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25) at java.lang.reflect.Method.invoke(Method.java:585) at org.jboss.el.util.ReflectionUtil.invokeMethod(ReflectionUtil.java:329) at org.jboss.el.util.ReflectionUtil.invokeMethod(ReflectionUtil.java:342) at org.jboss.el.parser.AstPropertySuffix.invoke(AstPropertySuffix.java:58) at org.jboss.el.parser.AstValue.invoke(AstValue.java:96) at org.jboss.el.MethodExpressionImpl.invoke(MethodExpressionImpl.java:276) at com.sun.facelets.el.TagMethodExpression.invoke(TagMethodExpression.java:68) at javax.faces.component.MethodBindingMethodExpressionAdapter.invoke(MethodBindingMethodExpressionAdapter.java:77) at com.sun.faces.application.ActionListenerImpl.processAction(ActionListenerImpl.java:91) at javax.faces.component.UICommand.broadcast(UICommand.java:383) at org.ajax4jsf.component.AjaxViewRoot.processEvents(AjaxViewRoot.java:184) at org.ajax4jsf.component.AjaxViewRoot.broadcastEvents(AjaxViewRoot.java:162) at org.ajax4jsf.component.AjaxViewRoot.processApplication(AjaxViewRoot.java:350) at com.sun.faces.lifecycle.InvokeApplicationPhase.execute(InvokeApplicationPhase.java:97) at com.sun.faces.lifecycle.LifecycleImpl.phase(LifecycleImpl.java:251) at com.sun.faces.lifecycle.LifecycleImpl.execute(LifecycleImpl.java:117) at javax.faces.webapp.FacesServlet.service(FacesServlet.java:244) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:290) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) at org.jboss.seam.servlet.SeamFilter$FilterChainImpl.doFilter(SeamFilter.java:83) at org.jboss.seam.debug.hot.HotDeployFilter.doFilter(HotDeployFilter.java:68) at org.jboss.seam.servlet.SeamFilter$FilterChainImpl.doFilter(SeamFilter.java:69) at org.jboss.seam.web.MultipartFilter.doFilter(MultipartFilter.java:85) at org.jboss.seam.servlet.SeamFilter$FilterChainImpl.doFilter(SeamFilter.java:69) at org.jboss.seam.web.ExceptionFilter.doFilter(ExceptionFilter.java:64) at org.jboss.seam.servlet.SeamFilter$FilterChainImpl.doFilter(SeamFilter.java:69) at org.jboss.seam.web.RedirectFilter.doFilter(RedirectFilter.java:45) at org.jboss.seam.servlet.SeamFilter$FilterChainImpl.doFilter(SeamFilter.java:69) at org.ajax4jsf.webapp.BaseXMLFilter.doXmlFilter(BaseXMLFilter.java:141) at org.ajax4jsf.webapp.BaseFilter.doFilter(BaseFilter.java:281) at org.jboss.seam.web.Ajax4jsfFilter.doFilter(Ajax4jsfFilter.java:60) at org.jboss.seam.servlet.SeamFilter$FilterChainImpl.doFilter(SeamFilter.java:69) at org.jboss.seam.web.LoggingFilter.doFilter(LoggingFilter.java:58) at org.jboss.seam.servlet.SeamFilter$FilterChainImpl.doFilter(SeamFilter.java:69) at org.jboss.seam.servlet.SeamFilter.doFilter(SeamFilter.java:158) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) at org.jboss.web.tomcat.filters.ReplyHeaderFilter.doFilter(ReplyHeaderFilter.java:96) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:230) at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:175) at org.jboss.web.tomcat.security.SecurityAssociationValve.invoke(SecurityAssociationValve.java:179) at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:432) at org.jboss.web.tomcat.security.JaccContextValve.invoke(JaccContextValve.java:84) at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127) at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102) at org.jboss.web.tomcat.service.jca.CachedConnectionValve.invoke(CachedConnectionValve.java:157) at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109) at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:262) at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:844) at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:583) at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:446) at java.lang.Thread.run(Thread.java:595)
Whats wrong ? Why i cant call a restricted EJB method ?